Web Server Administration

1
Web Server Administration

• Chapter 10
• Securing the Web Environment

2
Overview

• Identify threats and vulnerabilities
• Secure data transmission
• Secure the operating system
• Secure server applications

3
Overview

• Authenticate Web users
• Use a firewall
• Use a proxy server
• Use intrusion detection software

4
Identifying Threats and Vulnerabilities

• Focus is on threats from the Internet
• Hackers sometimes want the challenge of
  penetrating a system and vandalizing it other
  times they are after data
• Data can be credit card numbers, user names and
  passwords, other personal data
• Information can be gathered while it is being
  transmitted
• Often, operating system flaws can assist the
  hacker

5
Examining TCP/IP

• Hackers often take advantage of the intricacy of
  TCP/IP
• The following are parts of the IP header most
  relevant to security
• Source address
• Destination address
• Packet identification, flags, fragment offset
• Total length
• Protocol TCP, UDP, ICMP

6
TCP-Delivering Data to Applications

• Important header fields
• Source and destination ports
• Sequence number, data offset
• Flags, such as SYN, ACK, FIN
• Establishing a TCP connection

7
Vulnerabilities of DNS

• Historically DNS has had security problems
• BIND is the most common implementation of DNS and
  some older version had serious bugs
• BIND 9, the current version, has been more secure

8
Vulnerabilities in Operating Systems

• Operating systems are large and complex which
  means that there are more opportunities for
  attack
• Although Windows has had its share of problems,
  often inattentive administrators often fail to
  implement patches when available
• Some attacks, such as buffer overruns, can allow
  the attacker to take over the computer

9
Vulnerabilities in Web servers

• Static HTML pages pose virtually no problem
• Programming environments and databases add
  complexity that a hacker can exploit
• Programmers often do not have time to focus on
  security

10
Vulnerabilities of E-mail Servers

• By design, e-mail servers are open
• E-mail servers can be harmed by a series of very
  large e-mail messages
• Sending an overwhelming number of messages at the
  same time can prevent valid users from accessing
  the server
• Viruses can be sent to e-mail users
• Retrieving e-mail over the Internet often
  involves sending your user name and password as
  clear text

11
Securing Data Transmission

• To secure data on a network that is accessible to
  others, you need to encrypt the data
• SSL is the most common method of encrypting data
  between a browser and Web server
• Secure Shell (SSH) is a secure replacement for
  Telnet

12
Secure Sockets Layer (SSL)

• A digital certificate issued by a certification
  authority (CA) identifies an organization
• The public key infrastructure (PKI) defines the
  system of CAs and certificates
• Public key cryptography depends on two keys
• A public key is shared with everyone
• The public key can be used to encrypt data
• Only the owner of the public key has the
  corresponding private key which is needed to
  decrypt the data

13
Establishing an SSL Connection
14
Using SSH for Tunneling

• Tunneling allows you to use an unsecure protocol,
  such as POP3, through a secure connection, such
  as SSH
• To set up tunneling
• Configure the SSH client so the local port is
  55555 (or another port between 1024 and 65535)
• Configure the SSH client to connect to POP3 port
  110
• Log in to the SSH client
• Direct the e-mail client to port 5555 and log in
  to the e-mail server

15
Securing the Operating System

• Use the server for only necessary tasks
• Minimize user accounts
• Disable services that are not needed
• Make sure that you have a secure password
• In addition to using upper case, lower case
  numbers and symbols, hold down the ALT key on a
  number (on the numeric keypad) from 1 to 255
• Check a table of ALT values to avoid common
  characters
• The use of the ALT key will thwart most hackers

16
Securing Windows

• There are many services that are not needed in
  Windows for most Internet-based server
  applications
• Alerter
• Computer browser
• DHCP client
• DNS client
• Messenger
• Server
• Workstation
• Also, the registry can be used to alter the
  configuration to make it more secure such as
  disabling short file names

17
Securing Linux

• As with Windows, make sure that you only run
  daemons (services) that you need
• Generally, daemons are disabled by default
• The command netstat -l gives you a list of
  daemons that are running
• Use chkconfig to enable and disable daemons
• chkconfig imap on would enable imap

18
Securing E-mail

• You have already seen the ability to tunnel POP3
  which would prevent data from being seen
• Exchange 2000 can also use SSL for the protocols
  it uses
• To prevent someone from sending large e-mail
  messages until the disk is full, set a size limit
  for each mailbox

19
Securing the Web Server

• Enable the minimum features
• If you don't need a programming language, do not
  enable it
• Make sure programmers understand security issues
• Implement SSL where appropriate

20
Securing the Web ServerApache Directories

• You can restrict access to directories by using
  "allow" and "deny"
• The following only allows computers with the two
  IP addresses to access the directory
• order allow, deny
• allow from 10.10.10.5 192.168.0.3
• deny from all

21
Securing the Web Server-IIS

• The URLScan utility blocks potentially harmful
  page requests
• The IIS Lockdown utility has templates to ensure
  that you only enable what you need
• Change NTFS permissions in \inetpub\wwwroot from
  Everyone Full Control to Everyone Execute
• In IIS 5, delete \samples \IISHelp and \MSADC
  folders
• Delete extensions you do not use, such as .htr,
  .idc, .stm, and others

22
Authenticating Web Users

• Both Apache and IIS use HTTP to enable
  authentication
• HTTP tries to access a protected directory and
  fails
• Then it requests authentication from the user in
  a dialog box
• Accesses directory with user information
• Used in conjunction with SSL

23
Configuring User Authentication in IIS

• Four types of authenticated access
• Windows integrated authentication
• Most secure requires IE
• Digest authentication for Windows domain servers
• Works with proxy servers
• Requires Active Directory and IE
• Basic authentication
• User name and password in clear text
• Works with IE, Netscape, and others
• Passport authentication
• Centralized form of authentication
• Only available on Windows Server 2003

24
User Authentication in Apache

• Basic authentication is most common
• User names and passwords are kept in a separate
  file
• Create password file
• -c creates the users file
• -b adds a password when creating user
• htpasswd c users mnoia
• htpasswd users fpessoa
• htpasswd users lcamoes b lusiades

25
ApacheUser Authentication Directives
26
ApacheUser Authentication

• Assume you want to restrict the /newprods
  directory to any user in the users file
• AuthName "New Product Information"
• AuthType Basic
• AuthUserFile /var/www/users
• require valid-user

27
Using a Firewall

• A firewall implements a security policy between
  networks
• Our focus is between the Internet and an
  organization's network
• You need to limit access, especially from the
  Internet to your internal computers
• Restrict access to Web servers, e-mail servers,
  and other related servers

28
Types of Filtering

• Packet filtering
• Looks at each individual packet
• Based on rules, it determines whether to let it
  pass through the firewall
• Circuit-level filtering (stateful or dynamic
  filtering)
• Controls complete communication session, not just
  individual packets
• Allows traffic initialized from within the
  organization to return, yet restricts traffic
  initialized from outside
• Application-level
• Instead of transferring packets, it sets up a
  separate connection to totally isolate
  applications such as Web and e-mail

29
A Packet-filtering Firewall

• Consists of a list of acceptance and denial rules
• A firewall independently filters what comes in
  and what goes out
• It is best to start with a default policy that
  denies all traffic, in and out
• We can reject or drop a failed packet
• Drop (best) thrown away without response
• Reject ICMP message sent in response

30
Firewall on Linux - iptables

• Connections can be logged
• Initializing the firewall
• Remove any pre-existing rules
• iptables --flush
• Set default policy to drop packets
• iptables --policy INPUT DROP
• iptables --policy OUTPUT DROP
• At this point nothing comes in and nothing goes
  out

31
Describing the Packets to Accept

• -A (Append rule)
• INPUT or OUTPUT
• -i eth0 (input interface) or o eth0 (output)
• -p tcp or -p udp (protocol type)
• -s , -d (source, destination address)
• --sport, --dport (source, destination port)
• -j ACCEPT (this is a good rule)

32
Allowing Access to Web Server

• Allow packets from any address with an
  unprivileged port to the address on our server
  destined to port 80
• The following should be on a single line
• iptables A INPUT i eth0 p tcp --sport
  102465535 d 192.168.1.10 --dport 80 j ACCEPT
• Allow packets to go out port 80 from our server
  to any unprivileged port at any address
• iptables A OUTPUT o eth0 p tcp s 192.168.1.10
  
• --sport 80 --dport 102465535 j ACCEPT

33
Allowing Access to DNS

• DNS uses port 53
• UDP for resolving, TCP for zone transfers
• iptables A INPUT i eth0 p udp --sport
  102465535 d 192.168.1.10 --dport 53 j ACCEPT
• iptables A OUTPUT o eth0 p udp s 192.168.1.10
  
• --sport 53 --dport 102465535 j ACCEPT
• iptables A INPUT i eth0 p tcp --sport
  102465535 d 192.168.1.10 --dport 53 j ACCEPT
• iptables A OUTPUT o eth0 p tcp s 192.168.1.10
  
• --sport 53 --dport 102465535 j ACCEPT

34
Allowing Access to FTP

• Port 21 for data, port 20 for control
• Data is transferred through unprivileged ports
• Opening unprivileged ports can be a problem
• iptables -A INPUT -i eth0 -p tcp --sport
  102465535 -d 192.168.1.10 --dport 21 -j ACCEPT
• iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
  --sport 21 --dport 102465535 -j ACCEPT
• iptables -A INPUT -i eth0 -p tcp --sport
  102465535 -d 192.168.1.10 --dport 20 -j ACCEPT
• iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
  --sport 20 --dport 102465535 -j ACCEPT
• iptables -A INPUT -i eth0 -p tcp --sport
  102465535 -d 192.168.1.10 --dport 102465535 -j
  ACCEPT
• iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10
  --sport 102465535 --dport 102465535 -j ACCEPT

35
Using a Proxy Server

• A proxy server delivers content on behalf of a
  user or server application
• Proxy servers need to understand the protocol of
  the application that they proxy such as HTTP or
  FTP
• Forward proxy servers isolate users from the
  Internet
• Users contact proxy server which gets Web page
• Reverse proxy servers isolate Web server
  environment from the Internet
• When a Web page is requested from the Internet,
  the proxy server retrieves the page from the
  internal server

36
Using Intrusion Detection Software

• Intrusion detection is designed to show you that
  your defenses have been penetrated
• With Microsoft ISA Server, it only detects
  specific types of intrusion
• In Linux, Tripwire tracks changes to files

37
Tripwire

• Tripwire allows you to set policies that allow
  you to monitor any changes to the files on the
  system
• Tripwire can detect file additions, file
  deletions, and changes to existing files
• By understanding the changes to the files, you
  can determine which ones are unauthorized and
  then try to find out the cause of the change

38
Tripwire

• After installing Tripwire, you configure the
  policy file to determine which files to monitor
• A default list of files is included but it will
  take time to refine the list
• A report can be produced to find out which files
  have been added, changed, and deleted
• Usually, it runs automatically at night

39
Intrusion Detection in ISA Server

• The following intrusions are tracked
• Windows out-of-band (WinNuke)A specific type of
  Denial-of-Service attack
• LandA spoofed packet is sent with the SYN flag
  set so that the source address is the same as the
  destination address, which is the address of the
  server. The server can then try to connect to
  itself and crash.
• Ping of death The server receives ICMP packets
  that include large files attachments, which can
  cause a server to crash.
• IP half scan If a remote computer attempts to
  connect to a port by sending a packet with the
  SYN flag set and the port is not available, the
  RST flag is set on the return packet. When the
  remote computer does not respond to the RST flag,
  this is called an IP half scan. In normal
  situations, the TCP connection is closed with a
  packet containing a FIN flag.
• UDP bomb A UDP packet with an illegal
  configuration.
• Port scan You determine the threshold for the
  number of ports that are scanned (checked) before
  an alert is issued.

40
Summary

• Every computer connected to the Internet
  represents a potential target for attack
• Hackers can gather data and modify systems
• SSL can secure data transmission
• Keep each server to a single purpose such as Web
  server or e-mail
• Keep applications and services to a minimum

41
Summary

• User authentication controls access to one or
  more Web server directories
• Firewalls control access policies between
  networks
• A proxy server delivers content on behalf of a
  user or server application
• Intrusion detection software identifies
  intrusions but typically does not prevent them